·Describe the information to be
collected, why the information is being collected, the intended use of the information
and with whom the information will be shared.

Security Management Access Control System (SMACS) is a Social Security Administration (SSA) certified and
accredited General Support System consisting of several sub-systems that
automates and helps us implement the Homeland Security Presidential Directive 12
(HSPD-12) Personal Identity Verification (PIV) mandate, facilitates access to
SSA buildings and systems, and supports physical security initiatives. We
describe several of the sub-systems, including the information we collect, use,
and share below:

Electronic
Personal Enrollment Credential System (EPECS) functions
as the primary entry point for the enrollment process for SSA employees,
contractors, and other agency personnel. We
collect information via EPECS to create a credential record. We maintain the data throughout the
PIV card lifecycle. We also use EPECS
when conducting
a background or national security investigation and for identity proofing
an applicant.

Card Management System (CMS) is
responsible for managing the issuing of the credential including card production (manufacturing, printing, and shipping) and
public key infrastructure (PKI).

We collect and maintain
information, which relates to the registering and issuance of PIV cards and only
disclose the information to individuals with a “need to know,” i.e., individuals who would
require the information to perform their official duties; to the subject of the
record; and to other persons pursuant to an applicable routine use provision as
authorized by the Privacy Act of 1974, or as otherwise permitted by Federal law. For example, under a routine use, the agency
may disclose information to contractors, as necessary, to assist us in
efficiently administering agency programs.

Physical Access Control System
(PACS) controls access to SSA facilities using an authorized credential and is
implemented across many sites using the LENEL Security Access System
(LSAS).

We collect the information shown in the table below for individuals with a
legitimate need for entry to the secured Automated Data Processing (ADP) areas
in the National Computer Center (NCC) and adjacent buildings. LSAS
determines that the card PIN entered is correct for the card presented to the
card reader and that the individual is authorized access to that area.
The system records (or sounds an alarm in designated areas) when there is an unauthorized
attempt to enter a protected zone or if anyone attempts to tamper with security
sensors.

We use LSAS to safeguard personal and sensitive records about individuals,
and to restrict access to SSA's computer facility and other secured areas that
house the records. LSAS collects information to verify individuals’
access to a given secured area and to provide a record of those individuals
authorized to access various areas of the NCC and adjacent building when they do
so. In addition to ensuring the security of the computer facility and
secured areas, data in the system is also used for management purposes to
ensure and to verify time and attendance when employee fraud or abuse is
suspected.

Security Automated Features and
Enhancements (SAFE) is a
system consisting of several web-based tools that support physical
security requirements. These tools
allow us to perform compliance and risk assessments; look-up and print
images for property passes; grant physical access to buildings, rooms, or
system access levels; and request parking permits and update an
individual’s parking record. We
list several of the tools below:

ØAutomated Incident Reporting System
(AIRS)We use this module to report security incidents at the location
of the logged in user.ØCompliance and Risk Survey System
(CARS)We use this module to perform compliance and risk
assessments for a given site.ØCard Management System (CMS) Image
CreatorWe use this module to look up and print images for property
passes.ØPhysical Access Management (PAM)We use the PAM module to grant physical access to buildings,
rooms, or access levels. We collect individual data in the SAFE system indirectly
through its interface with the CMS. We use this data to automate and centralize
physical security-based processes and workflows, including access requests,
physical security compliance assessment reports, physical security action
plans, occupant emergency plans, incident reporting, and physical security
funding. We disclose
the information collected by the SMACS system only as necessary to management
officials and employees responsible for ensuring the appropriate individuals
have authorized entry to secured ADP areas, and for undertaking investigations
of, or other corrective measures against, individuals gaining entrance without
authorization, or as authorized by Federal law.

We list
the information we collect and may share for each of
the various sub-systems below:

Status of National Agency Check
with Inquiries background investigation

X

X

Telephone

X

X

X

·Describe the administrative and
technological controls that are in place or that are planned to secure the
information being collected.

SMACS security includes technical,
management, and operational controls that permit access to information only to
persons with an official “need to know.” For example, these systems enforce the use of access codes (personal
identification number and password) to enter computer systems that house the
data. We maintain electronic files with personal identifiers in secure
storage areas. We use audit mechanisms
to record sensitive transactions as an additional measure to protect
information from unauthorized disclosure or modification.

Additionally, we require
that users of the SMACS system authenticate to the SSA network using their SSA
issued 6-digit PIN and password or their PIV Credential. For EPECS, the user must also hold the
necessary Top Secret profiles to be granted access to the system. For the SAFE
system, authentication is achieved through Single Sign On (SSO) which verifies that the user holds necessary permissions and is
authenticated prior to being presented the SAFE user interface (web portal).

In addition to
authentication and access controls, SMACS systems use audit mechanisms to
record sensitive transactions as an additional measure to protect information
from unauthorized disclosure or modification.

The
Office of Security and Emergency Preparedness and the Office of Information
Security annually provide appropriate security awareness training to all our
employees and contractors that includes reminders about the need
to protect Personally Identifiable
Information (PII) and the criminal penalties that apply to
unauthorized access to, or disclosure of, PII. See 5 U.S.C. § 552a(i)(1). Furthermore, employees and contractors with
access to databases maintaining PII must annually sign a sanction document that
acknowledges their accountability for inappropriately accessing or disclosing
such information.

·Describe the impact on individuals’
privacy rights.

The agency holds legal authority to
collect this information to administer responsibilities under the Social
Security Act. When we collect information from users wishing to conduct
business with us through electronic services, we provide them with a Privacy
Act Statement to advise them of the agency’s legal authority for requesting the
information and explain the possible effects if they choose not to provide the
information. Users can then make an
informed decision whether or not to provide their personal information.

·Are
individuals afforded an opportunity to decline to provide information?

We require individuals to provide us
with this information for employment and access to our systems and
facilities. When we collect a person’s
information, we advise him/her of the purposes for which we will use the
information. The individual is further advised that the information may
be disclosed without written prior consent only when there is a specific legal
authority to do so (e.g., the Privacy Act of 1974).

·Does the collection of this
information require a new system of records under the Privacy Act (5 U.S.C. §
552a) or an alteration to an existing system of records?

The SMACS System does not require a new Privacy Act
system of records (SOR) or an alteration to an existing system of records. We have several established systems that
govern the information we collect through this system and the various
sub-systems we explain in this PIA. The
SORs include: Record of
Individuals Authorized Entry to Secured Automated Data Processing Area (60-0210); Personal Identification Number File (60-0214); Parking Management Record System (60-0230); Records of
Individuals Authorized Entry into Secured Areas by Digital Lock Systems,
Electronic Key Card Systems or Other Electronic Access Devices (60-0270); Visitor
Intake Process-Customer Service Record (60-0350); and Identity Management System (60-0361).

Important Information:

Other Government Websites:

Follow:

External Link Disclaimer

You are exiting the Social Security Administration's website.

Select OK to proceed.

Disclaimer

The Social Security Administration (SSA) website contains links to websites not affiliated with the United States government. These may include State and Local governmental agencies, international agencies, and private entities.

SSA cannot attest to the accuracy of information provided by such websites. If we provide a link to such a website, this does not constitute an endorsement by SSA or any of its employees of the information or products presented on the non-SSA website.

Also, such websites are not within our control and may not follow the same privacy, security or accessibility policies. Once you visit such a website, you are subject to the policies of that site.